Corporate Statements About GDPR Spark Securities Class Action Lawsuit
Since the European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, commentators and analysts have speculated about the regulation’s potential effect on securities class action suits based on directors’ and officers’ statements with respect to GDPR compliance. In a climate where securities class actions have increased in frequency each year, the question has become a critical one for boards of directors and their insurers (both D&O and cybersecurity), as each has tried to forecast whether GDPR would provide a new breeding ground for securities class actions. The case Bhattacharya v. Nielsen Holdings PLC, et al., Case No. 18-07677, filed on August 22, 2018 in the United States District Court for the Southern District of New York may begin to provide an answer.
In Bhattacharya, the plaintiff, a shareholder of the media ratings company Nielsen, alleges that the company and its directors and officers repeatedly misstated to the public that “because privacy was built into the way its [Nielsen’s] business processes, the enactment of the European General Data Protection Regulation (‘GDPR’) would not impact its business, nor limit necessary access to large data sets provided by its partners like Facebook.” According to the lawsuit, defendants also informed the public that “we have access to all the data that we need for our measurement products,” and “the [GDPR] has been more of a nonevent.” According to the lawsuit, that turned out to not be the case.
The lawsuit contends that Nielsen revealed the “truth” of GDPR’s effect on July 26, 2018, when the company revised its financials by, among other things, reducing its estimated free cash flow guidance by $250 million. According to the lawsuit, Nielsen repeatedly cited GDPR for the reason of the revised financials, stating:
- “General Data Protection Regulation and changes in the consumer data privacy landscape impacted our growth rates in the near-term as clients and partners grapple with the changes and work to ensure compliance.”
- “Marketing Effectiveness revenues increased 7.2%, or 6.0% on a constant currency basis, . . . partly offset by pressure on our clients and partners from the impact of the General Data Protection Regulation (GDPR) and other consumer data privacy considerations.”
- “[Our] digital advertising ecosystem saw a disruption in the second quarter as large digital platforms made changes to their offerings to increase security for consumer data.”
While only in its preliminary stages, this case provides good early lessons for both company boards of directors and insurers. GDPR and other similar privacy laws being passed in the United States and worldwide can have a significant impact upon business growth. Statements issued by public companies and their board of directors concerning these privacy laws are and will be scrutinized by investors. Where companies publicly underestimate the impact of privacy regulation, whether in a SEC filing or elsewhere, an investigation and/or lawsuit certainly may follow. Bhattacharya may be a bellwether case to watch.